Research in Computer Viruses and Wormsengweb.swan.ac.uk/~tmchen/papers/talk-lmu-Oct2004.pdf · Research in Computer Viruses and Worms. ... Biological virus Computer virus Consists

Tom ChenSMU

[email protected]

Research in Computer Viruses and Worms

TC/Londonmet/10-6-04 SMU Engineering p. 2

• About Me and SMU

• Background on Viruses/Worms

• Research Activities

- Virus research lab

- Early detection

- Epidemic modeling

Outline


About Me

• PhD in electrical engineering from U. California, Berkeley

• GTE (Verizon) Labs: research in ATM switching, traffic modeling/control, network operations

• 1997 joined EE Dept at SMU: traffic control, mobile agents, network security


About SMU

• Small private university with 6 schools - engineering, sciences, arts, business, law, theology

• 6,300 undergrads, 3,600 grads, 1,200 professional (law, theology) students

• School of Engineering: 51 faculty in 5 departments

• Dept of EE: specialization in signal processing, communications, networking, optics

Background on Viruses and Worms


Motivations

Can one IP packet cripple the Internet within 10 minutes?


one UDP packet

- More than 1.2 billion US dollars damage- Widespread Internet congestion- Attack peaked in 10 minutes- 70% South Korea’s network paralyzed- 300,000 ISP subscribers in Portugal knocked off line- 13,000 Bank of America machines shut down- Continental Airline’s ticketing system crippled

376 bytesIP/UDP Internet

25 January 2003example


one UDP packet

SQL Sapphire/Slammer worm

376 bytesIP/UDP Internet

25 January 2003example


• 70,000+ viruses are known -- only hundreds “in the wild”

• A few viruses cause the most damage

Top Viruses/Worms

Worldwideeconomic

impact(US$ billions)

up to 2001

*estimated by Computer Economics 2001

Love Letter Code Red Sircam Melissa ExploreZip

$8.7 B

$2.6 B$1.1 B $1.1 B $1.0 B


• Viruses/worms are consistently among most common attacks

Prevalence

% Organizationsdetected

virus/wormattacks

*2003 CSI/FBI Computer Crime and Security Survey

1997 1998 1999 2000 2001 2002 2003

82% 83%90%

85% 94%85% 82%


• Third most costly security attack (after theft of proprietary info and DoS)

Damages

Average lossper organization

due to virus/worms (US$ K)

*2003 CSI/FBI Computer Crime and Security Survey

1997 1998 1999 2000 2001 2002 2003

$75K $55K $45K

$180K$243K

$283K

$200K


• Key characteristic: ability to self-replicate by modifying (infecting) a normal program/file with a copy of itself

- Execution of the host program/file results in execution of the virus (and replication)

- Usually needs human action to execute infected program

What are Viruses


Cohen’s Viruses

• Nov. 1983 Fred Cohen (“father” of computer virus) thought of the idea of computer viruses as a graduate student at USC

- “Virus” named after biological virus

• Cohen wrote the first documented virus and demonstrated on the USC campus network


Cohen’s Viruses (cont)

Biological virus Computer virus

Consists of DNA or RNA strand surrounded by protein shell to bond to host cell

Consists of set of instructions stored in host program

No life outside of host cell Active only when host program executed

Replicates by taking over host’s metabolic machinery with its own DNA/RNA

Replicates when host program is executed or host file is opened

Copies infect other cells Copies infect (attach to) other host programs


Virus Examples

Prependingviruses

Appendingviruses Original program Virus code

JumpJump

Overwritingviruses Original partVirus code

Original program

Virus code Original program


Virus Anatomy

Prevents re-infection attemptsMark (optional)

Infectionmechanism

Trigger (optional)

Payload(optional)

Causes spread to other files

Conditions for delivering payload

Possible damage to infected computer (could be anything)


What are Worms

• Worm is also self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network

- Unlike viruses, worms do not need to parasitically attach to other programs

- Inherently network dependent

- Do not need any human action to spread


Worm Anatomy

- Structurally similar to viruses, except a stand-alone program instead of program fragment

- Infection mechanism searches for weakly protected computers through a network (ie, worms are network-based)

- Payload might drop a Trojan horse or parasitically infect files, so worms can have Trojan horse or virus characteristics

Mark (optional)

Infectionmechanism

Trigger (optional)

Payload(optional)


Worms (cont)

• Worms are more common and dangerous than viruses today

- Virtually all computers are networked

- Worms spread quickly through networks without need for human actions

- People are more alert about viruses (disable MS Office macros, turn on antivirus software,…)


1979

1983

1988

1999200020012003

1992

1995

Virus/Worm Highlights

John Shoch and Jon Hupp at Xerox

25 y

ears

Fred Cohen

Robert Morris Jr

Melissa (March), ExploreZip (June)Love Letter (May)Sircam (July), Code Red I+II (July-Aug.), Nimda (Sep.)

Slammer (Jan.), Blaster (Aug.), Sobig.F (Aug.)

Virus creation toolkits, Self Mutating EngineConcept macro virus


1979

Wave 1 : Experimental

1983

1988

1999200020012003

1992

1995

Past Trends: 4 Waves

Wave 2 : Cross platform, polymorphic

Wave 3 : Mass e-mailers

Wave 4 : Dangerous, fast, complex,...


1979

1983

1987

1988

1989

1990

1986

Wave 1

John Shoch and Jon Hupp - Xerox worms

Fred Cohen

Robert Morris wormWank worm

Stoned virus

Brain virus

Christma Exec virus


Wave 1 Highlights

• Most viruses limited to DOS and spread slowly by diskettes

• Experiments with worms (Xerox, Morris) got out of control

• Beginnings of stealth viruses and social engineering attacks


1992

1994

1996

1997

1998

1995

Wave 2

Polymorphic generators (MtE, SMEG, NED),virus construction toolkits (VCL, PS-MPC)

Pathogen, Queeg polymorphic viruses

Bliss virus for Linux

CIH virus, HLLP.DeTroie virus

Concept macro virus

Boza, Tentacle, Punch viruses for Windows


• Easy-to-use virus toolkits allow large-scale automated creation of viruses

• Polymorphic generators allow easy creation of polymorphic viruses (appearance is scrambled) - challenges antivirus software

• Most viruses target Windows

• Macro viruses go cross-platform

Wave 2 Highlights


1999

2001

2000

Wave 3

Happy99 worm

Melissa macro virus

Hybris worm

Anna Kournikova worm

Love Letter worm

PrettyPark, ExploreZip worms

BubbleBoy virus, KAK worm


Wave 3 Highlights

• Mass e-mailing viruses become most popular

- Attacks increase in speed and scope

• Social engineering (tricking users into opening attachments) becomes common

• Worms start to become dangerous (data theft, dynamic plug-ins)


2001

2002

2003

Wave 4

Ramen, Davinia worms

Badtrans, Klez, Bugbear worms

Lirva, Sapphire/Slammer worms

Fizzer worm

Blaster, Welchia/Nachi, Sobig.F worms

Slapper wormWinevar worm

Lion, Gnutelman wormsSadmind wormSircam, Code Red I, Code Red II wormsNimda worm

Gibe worm


• New infection vectors (Linux, peer-to-peer, IRC chat, instant messaging,...)

• Blended attacks (combined vectors)

• Dynamic code updates (via IRC, web,...)

• Dangerous payloads - backdoors, spyware

• Armored viruses try to disable antivirus software

• Sophisticated worms (Code Red, Nimda, Slammer, Blaster) spread very fast

Wave 4 Highlights


Top 2004 Worms

• MyDoom spreads by e-mail to Windows PCs, searches for e-mail addresses in various files, opens backdoor for remote access

• Netsky spreads by e-mail, exploits Internet Explorer to automatically execute e-mail attachments, removes MyDoom and Bagle from PCs


Top 2004 Worms (cont)

• Bagle spreads by e-mail, tries to remove Netsky from PCs, opens backdoor for remote access, downloads code updates from Web, disables antivirus and firewall software


Current Defenses

• Antivirus software

• Operating system patching

• Firewalls

• Intrusion detection systems (IDS)

• Router access control lists

So why do worm outbreaks continue?


Software Issues

• Antivirus software works by virus signatures combined with heuristics

- Signatures are more accurate, but need time to develop for each new virus and constant updating

- Heuristics can detect new viruses before signature is available, but not perfect detection

• Many people do not use antivirus software or keep it updated


Software Issues (cont)

• OS patches are announced regularly, but not always used

- Constant patching takes time and effort

- Patches can cause software conflicts

- Patches are often available only for most critical vulnerabilities

• Missed patches leaves window of vulnerability for worms to exploit


Network Issues

• Firewalls are partially effective but

- Need expert configuration of filter rules

- May still allow viruses/worms to pass via allowed services

- May allow new viruses/worms to pass

• Current IDS equipment are susceptible to high rates of false positives (false alarms)

- Detection accuracy is major issue

Research Activities


• Virus research lab

• Early detection of worms

• Epidemic modeling

Research Activities


Virus Research Lab

• Distributed computers in EE building and Business School

Internet Campusnetwork

Cox Business School

EE Building


Virus Research Lab (cont)

• Intrusion detection systems to monitor live traffic

- Snort, Prelude, Samhain

• Honeypots to catch viruses

- Honeyd, Logwatch, Nagios

• Network/virus simulator

- To simulate virus behaviors in different network topologies


Early Detection of Worms

• Goal is global system for early warning of new worm outbreaks

• Jointly with Symantec to enhance their DeepSight Threat Management System

- DeepSight collects log data from hosts, firewalls, IDSs from 20,000 organizations in 180 countries

- Symantec correlates and analyzes traffic data to track attacks by type, source, time, targets


Early Detection (cont)

• Architecture of DeepSight

IDSIDS

Data collection

Correlation+ analysisSignatures

Internet


Early Detection (cont)

• Addition of honeypots to DeepSight

• Honeypots are “decoy” computers configured to appear vulnerable to attract attacks and collect data about attacker behavior

- Can be used to capture worms

- Carefully restricted from spreading any attacks to network


Epidemic Modeling

• Epidemic models predict spreading of diseases through populations

- Deterministic and stochastic models developed over 250 years

- Helped devise vaccination strategies, eg, smallpox

• Our goal is to adapt epidemic models to computer viruses and worms

- Take into account different behavior of computer viruses and effect of network congestion


Basic Epidemic Model

• Assumes all hosts are initially Susceptible, can become Infected after contact with an Infected

- Assumes fixed population and random contacts

• Number of Infected hosts shows logistic growth


Numberinfected

Observed

Predicted

Basic Epidemic (cont)

• Logistic equation predicts “S” growth

• Observed worm outbreaks (eg, Code Red) tend to slow down more quickly than predicted


Basic Epidemic (cont)

• Initial rate is exponential: random scanning is efficient when susceptible hosts are many

• Later rate slow downs: random scanning is inefficient when susceptible hosts are few

• Spreading rate also slows due to network congestion caused by heavy worm traffic


Dynamic Quarantine

• Recent worms spread too quickly for manual response

• Dynamic quarantine tries to isolate worm outbreak from spreading to other parts of Internet

- Cisco and Microsoft proposals

• Epidemic model?


Quarantining (cont)

• “Community of households” epidemic model assumes

- Population is divided into households

- Infection rates within households can be different than between households

• Similar to structure of Internet as “network of networks”


Quarantining (cont)

Network(household)

Network(household)

Network(household)

Network(household) Inter-network infection

rates -- Control these rates for quarantining

Intra-network infection rates


Conclusions

• Viruses and worms will continue to be an enormous network security problem

• New technologies are needed in

- Early detection

- Dynamic quarantining

- Intrusion-tolerant networks

Documents

Research in Computer Viruses and Wormsengweb.swan.ac.uk/~tmchen/papers/talk-lmu-Oct2004.pdf · Research in Computer Viruses and Worms. ... Biological virus Computer virus Consists